From: ludo@gnu.org (Ludovic Courtès)
To: Cyril Roelandt <tipecaml@gmail.com>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH 01/12] guix: download: properly detect https when mirror:// is used.
Date: Fri, 16 Oct 2015 12:14:28 +0200 [thread overview]
Message-ID: <871tcvrugr.fsf@gnu.org> (raw)
In-Reply-To: <1444686068-7668-2-git-send-email-tipecaml@gmail.com> (Cyril Roelandt's message of "Mon, 12 Oct 2015 23:40:57 +0200")
[-- Attachment #1: Type: text/plain, Size: 1826 bytes --]
Cyril Roelandt <tipecaml@gmail.com> skribis:
> * guix/download.scm (url-fetch): fix need-gnutls? which always returned #f when
> a URL with "mirror://" scheme was used.
[...]
> (define need-gnutls?
> - ;; True if any of the URLs need TLS support.
Please keep/adjust the comment.
> - (let ((https? (cut string-prefix? "https://" <>)))
> - (match url
> - ((? string?)
> - (https? url))
> - ((url ...)
> - (any https? url)))))
> + (let ((https? (lambda (uri)
> + (eq? 'https (uri-scheme uri)))))
> + (any https? (append-map (cut build:maybe-expand-mirrors <> %mirrors)
> + (match url
> + ((_ ...) (map string->uri url))
> + (_ (list (string->uri url))))))))
This looks like a good idea, but it might raise bootstrapping issues.
For instance, what if mirror://gnu includes HTTPS URLs? Try the
following:
guix gc -d /gnu/store/*-glibc-2.22.tar.xz
./pre-inst-env guix build -S \
-e '(@@ (gnu packages commencement) glibc-final)' \
--no-substitutes
If mirror://gnu contains HTTPS URLs, this will create a circular
dependency (glibc’s source depends on GnuTLS, which depends on glibc,
which depends on glibc’s source), leading to a stack overflow and
maximum user unhappiness.
So address that, I modified the patch as shown in the attached file. It
solves the bootstrapping case.
But that still doesn’t handle the more general problem of creating a
circular dependency between GnuTLS and source downloads. That could
actually happen anywhere in the package graph. So all in all, I’d
rather take the conservative approach and avoid that.
Is there a mirror for which that is a serious issue?
Thanks,
Ludo’.
[-- Attachment #2: the patch --]
[-- Type: text/x-patch, Size: 3617 bytes --]
From ae4e4168aefd04b001ba1dd368fb08ae0c5af433 Mon Sep 17 00:00:00 2001
From: Cyril Roelandt <tipecaml@gmail.com>
Date: Mon, 12 Oct 2015 23:40:57 +0200
Subject: [PATCH] download: Detect https when mirror:// is used.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* guix/download.scm (url-fetch): Add #:allow-tls? parameter and honor
it.
[https?]: New local procedure.
[need-gnutls?]: Check whether any of the mirrors requires HTTPS.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
---
gnu/packages/bootstrap.scm | 5 ++++-
guix/download.scm | 25 ++++++++++++++++---------
2 files changed, 20 insertions(+), 10 deletions(-)
diff --git a/gnu/packages/bootstrap.scm b/gnu/packages/bootstrap.scm
index f5bf069..8ab9713 100644
--- a/gnu/packages/bootstrap.scm
+++ b/gnu/packages/bootstrap.scm
@@ -63,7 +63,10 @@
#:optional name #:key system)
(fetch url hash-algo hash
#:guile %bootstrap-guile
- #:system system)))
+ #:system system
+
+ ;; Make sure we don't introduce a dependency on GnuTLS.
+ #:allow-tls? #f)))
(define %bootstrap-patch-inputs
;; Packages used when an <origin> has a non-empty 'patches' field.
diff --git a/guix/download.scm b/guix/download.scm
index 204cfc0..2780f4c 100644
--- a/guix/download.scm
+++ b/guix/download.scm
@@ -45,6 +45,7 @@
'(;; This one redirects to a (supposedly) nearby and (supposedly)
;; up-to-date mirror.
"http://ftpmirror.gnu.org/"
+ "https://ftpmirror.gnu.org/"
"ftp://ftp.cs.tu-berlin.de/pub/gnu/"
"ftp://ftp.funet.fi/pub/mirrors/ftp.gnu.org/gnu/"
@@ -216,7 +217,8 @@
(define* (url-fetch url hash-algo hash
#:optional name
#:key (system (%current-system))
- (guile (default-guile)))
+ (guile (default-guile))
+ (allow-tls? #t))
"Return a fixed-output derivation that fetches URL (a string, or a list of
strings denoting alternate URLs), which is expected to have hash HASH of type
HASH-ALGO (a symbol). By default, the file name is the base name of URL;
@@ -226,7 +228,10 @@ When one of the URL starts with mirror://, then its host part is
interpreted as the name of a mirror scheme, taken from %MIRROR-FILE.
Alternately, when URL starts with file://, return the corresponding file name
-in the store."
+in the store.
+
+ALLOW-TLS? determines whether to allow TLS for downloads, which entails adding
+a dependency on GnuTLS."
(define file-name
(match url
((head _ ...)
@@ -234,18 +239,20 @@ in the store."
(_
(basename url))))
+ (define (https? uri)
+ (eq? 'https (uri-scheme uri)))
+
(define need-gnutls?
;; True if any of the URLs need TLS support.
- (let ((https? (cut string-prefix? "https://" <>)))
- (match url
- ((? string?)
- (https? url))
- ((url ...)
- (any https? url)))))
+ (any https?
+ (append-map (cut build:maybe-expand-mirrors <> %mirrors)
+ (match url
+ ((_ ...) (map string->uri url))
+ (_ (list (string->uri url)))))))
(define builder
#~(begin
- #+(if need-gnutls?
+ #+(if (and allow-tls? need-gnutls?)
;; Add GnuTLS to the inputs and to the load path.
#~(eval-when (load expand eval)
--
2.5.0
next prev parent reply other threads:[~2015-10-16 10:14 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-12 21:40 [PATCH 00/12] Tons of patches to run "guix-tox" on python-keystoneclient! Cyril Roelandt
2015-10-12 21:40 ` [PATCH 01/12] guix: download: properly detect https when mirror:// is used Cyril Roelandt
2015-10-16 10:14 ` Ludovic Courtès [this message]
2015-10-20 15:57 ` Cyril Roelandt
2015-10-20 16:26 ` Cyril Roelandt
2015-10-12 21:40 ` [PATCH 02/12] guix: Add a "pypi-uri" helper method Cyril Roelandt
2015-10-13 7:47 ` Ricardo Wurmus
2015-10-13 13:51 ` Thompson, David
2015-10-13 23:14 ` Cyril Roelandt
2015-10-12 21:40 ` [PATCH 03/12] import: pypi: Use "pypi-uri" instead of building the URL manually Cyril Roelandt
2015-10-25 21:47 ` Cyril Roelandt
2015-10-27 17:28 ` Ludovic Courtès
2015-10-12 21:41 ` [PATCH 04/12] gnu: Update python-requests Cyril Roelandt
2015-10-16 12:32 ` Ludovic Courtès
2015-10-12 21:41 ` [PATCH 05/12] gnu: Add python-mccabe 0.2.1 Cyril Roelandt
2015-10-16 12:33 ` Ludovic Courtès
2015-10-12 21:41 ` [PATCH 06/12] gnu: Add python-flake8-2.2.4 Cyril Roelandt
2015-10-16 12:33 ` Ludovic Courtès
2015-10-12 21:41 ` [PATCH 07/12] gnu: Add python-hacking Cyril Roelandt
2015-10-16 12:37 ` Ludovic Courtès
2016-10-24 20:59 ` Leo Famulari
2015-10-12 21:41 ` [PATCH 08/12] gnu: Add python-oslosphinx Cyril Roelandt
2015-10-16 12:38 ` Ludovic Courtès
2015-10-12 21:41 ` [PATCH 09/12] gnu: Add python-os-testr Cyril Roelandt
2015-10-16 12:39 ` Ludovic Courtès
2015-10-12 21:41 ` [PATCH 10/12] gnu: paramiko: Move python-pycrypto to the propagated inputs Cyril Roelandt
2015-10-16 12:40 ` Ludovic Courtès
2015-10-12 21:41 ` [PATCH 11/12] gnu: Add python-oslo.log Cyril Roelandt
2015-10-16 12:41 ` Ludovic Courtès
2015-10-12 21:41 ` [PATCH 12/12] gnu: Add python-tempest-lib Cyril Roelandt
2015-10-16 12:42 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871tcvrugr.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guix-devel@gnu.org \
--cc=tipecaml@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.